test: add tests for booting secret free VMs

roypat · roypat · commit 41f5cb701338 · 2025-04-08T15:12:48.000+01:00
Add a test that we can boot "normal" VMs on ARM with secret freedom
enabled (e.g. I/O works through the swiotlb region), and test that on
x86 we can boot at least an initrd (e.g. a very simple VM that doesnt
have any I/O devices attached).

Skip tets on m6g.metal, as currently direct map removal causes panics on
this hardware.

Signed-off-by: Patrick Roy &lt;roypat@amazon.co.uk&gt;
diff --git a/tests/integration_tests/functional/test_secret_freedom.py b/tests/integration_tests/functional/test_secret_freedom.py
@@ -0,0 +1,65 @@
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Test secret-freedom related functionality."""
+
+import platform
+
+import pytest
+
+from framework import defs
+from framework.microvm import Serial
+from framework.properties import global_props
+from integration_tests.performance.test_initrd import INITRD_FILESYSTEM
+
+pytestmark = [
+    pytest.mark.skipif(
+        global_props.host_linux_version_metrics != "next",
+        reason="Secret Freedom is only supported on the in-dev upstream kernels for now",
+    ),
+    pytest.mark.skipif(
+        global_props.instance == "m6g.metal",
+        reason="Secret Freedom currently only works on ARM hardware conforming to at least ARMv8.4 as absense of ARM64_HAS_STAGE2_FWB causes kernel panics because of dcache flushing during stage2 page table entry installation",
+    ),
+]
+
+
+@pytest.mark.skipif(
+    platform.machine() != "aarch64",
+    reason="only ARM can boot secret free VMs with I/O devices",
+)
+def test_secret_free_boot(microvm_factory, guest_kernel_linux_6_1, rootfs):
+    """Tests that a VM can boot if all virtio devices are bound to a swiotlb region, and
+    that this swiotlb region is actually discovered by the guest."""
+    vm = microvm_factory.build(guest_kernel_linux_6_1, rootfs)
+    vm.spawn()
+    vm.memory_monitor = None
+    vm.basic_config(memory_config={"initial_swiotlb_size": 64, "secret_free": True})
+    vm.add_net_iface()
+    vm.start()
+
+
+def test_secret_free_initrd(microvm_factory, guest_kernel_linux_6_1):
+    """
+    Test that we can boot a secret hidden initrd (e.g. a VM with no I/O devices)
+    """
+    fs = defs.ARTIFACT_DIR / "initramfs.cpio"
+    uvm = microvm_factory.build(guest_kernel_linux_6_1)
+    uvm.initrd_file = fs
+    uvm.help.enable_console()
+    uvm.spawn()
+    uvm.memory_monitor = None
+
+    uvm.basic_config(
+        add_root_device=False,
+        vcpu_count=1,
+        boot_args="console=ttyS0 reboot=k panic=1 pci=off no-kvmclock",
+        use_initrd=True,
+        memory_config={"initial_swiotlb_size": 64, "secret_free": True},
+    )
+
+    uvm.start()
+    serial = Serial(uvm)
+    serial.open()
+    serial.rx(token="# ")
+    serial.tx("mount |grep rootfs")
+    serial.rx(token=f"rootfs on / type {INITRD_FILESYSTEM}")
